The latest security failure, reported by Krebs on Security, says that “The American Dental Association (ADA) says it may have inadvertently mailed malware-laced USB thumb drives to thousands of dental offices nationwide.”
The USB thumb drives are used to send dental procedure code updates to dental offices nationwide. These days with Internet everywhere, why would the ADA use the US Mail to send USB drives to update these dental procedure codes? There are so many electronic options available for the dissemination of this information and the ADA is using postal mail to send electronic information.
It’s not just the expense and startlingly outdated method of data delivery, but then not using typical antivirus tools, and spreading malware to thousands of computers containing HIPAA regulated Protected Health Information is certainly alarming.
Image: DSL Reports Security Forum. DSLR member “Mike” from Pittsburgh
As reported by KrebsOnSecurity, the ADA said it sent the following email to members who have shared their email address with the organization:
“We have received a handful of reports that malware has been detected on some flash drives included with the 2016 CDT manual,” the ADA said. “The ‘flash drive’ is the credit card sized USB storage device that contains an electronic copy of the CDT 2016 manual. It is located in a pocket on the inside back cover of the manual. Your anti-virus software should detect the malware if it is present. However, if you haven’t used your CDT 2016 flash drive, please throw it away.”
“To give you access to an electronic version of the 2016 CDT manual, we are offering you the ability to download the PDF version of the 2016 CDT manual that was included on the flash drive.”
The ADA said the USB “credit card” media was “manufactured in China by a subcontractor of an ADA vendor, and that some 37,000 of the devices have been distributed. The not-for-profit ADA is the nation’s largest dental association, with more than 159,000 members.”
Why wouldn’t the ADA just stop at providing the PDF file version of the manual, in the first place?